Mobile Threat Monday: Android Apps and Permissions

Do you know what permissions all the apps on your Android device are requesting? SecurityWatch takes a look in this week's list of dangerous Android apps.

Permissions are really tricky when it comes to Android apps. When you are about to install an app from Google Play, you see a list of all the things the app wants to do. Sometimes the odd requests are really strange, such as the air-hockey-style game wanting access to my contacts, and PolarisOffice word processing suite needing to send SMS messages.

Then there's the fact that some permissions are a bit more broad than you may realize. When you grant access to the device camera—such as a banking app with a check-deposit feature or snapping and posting images to Facebook—you are also giving the app permission to "use the camera at any time without your confirmation." It appears the developer can turn on the camera any time without the user actually using the camera, which means an app could conceivably take pictures without the user's knowledge. Make sure the app has a legitimate reason for wanting to use the camera. Otherwise it can spy on you.

BitDefender used its Clueful service to identify some of the more commonly downloaded apps on Google Play with questionable permissions.

[1] Sally's Nail SalonBitDefender's Clueful app flagged Sally's Nail Salon (version 1.1.3'13) from NuttyApps as a risky app on Google Play. It has been downloaded between 1 million to 5 million times. Sally's Nail Salon uploads the Android ID to api.vungle.com, a mobile video advertising network, which can be used to track user location and behavior across multiple apps.

The app also shares the user's phone number with aggressive ad network AirPush. We've previously flagged several apps using AirPush, which displays ads in the notification area and creates icons on the device Home screen. One good thing is that AirPush requires users to opt-in to see those ads. The data transfer also requires the user to opt-in first.

[2] Zombie Dress Up GameZombie Dress Up-Zombie Game from GoodSoundsApps reappeared on this week's list, after being flagged for the first time a little over a month ago. With between 50,000 to 100,000 downloads, Zombie Dress Up Game collects and sends even more user data to AirPush servers. Along with the Device ID, the app sends the user phone number, email address, and and user location to AirPush, according to BitDefender. The data transfer requires the user to opt-in, first.

[3] Bad Pigs As SecurityWatch reported earlier, F-Secure identified an app masquerading as Rovio's Angry Birds sequel, Bad Piggies. Even though the game icon was exactly the same as the real Bad Pigges, the name was slightly different, (Bad Pigs), as well as the developer (Dan Stokes).

Bad Pigs requested an enormous number of permissions, including the ability to change some settings, full access to your location and personal information, among others. The original Bad Piggies doesn't ask for so many. If you're among the 10,000 people tricked into thinking this was the real thing, delete it from your device right away.

Trojanized apps are repackaged apps pretending to be "free," or cracked, versions of popular games and have extra malicious features that can cause big problems for Android users. "Dan Stokes" has two other games, "Fruit Chop Ninja" and "Paper Toss 2," which are copies of popular Android apps. SecurityWatch recommends removing these unauthorized versions right away.

Automatic Renewal Program: Your subscription will continue without interruption for as long as you wish, unless
you instruct us otherwise. Your subscription will automatically renew at the end of the term unless you authorize
cancellation. Each year, you'll receive a notice and you authorize that your credit/debit card will be charged the
annual subscription rate(s). You may cancel at any time during your subscription and receive a full refund on all
unsent issues. If your credit/debit card or other billing method can not be charged, we will bill you directly instead. Contact Customer Service